While the threat of Coronavirus grabs the attention of the world, our latest Global Threat Index for January 2020 shows cyber-criminals are also exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus.

The most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet – the leading malware type for the 4th month running – in malicious email attachments feigning to be sent by a Japanese disability welfare service provider. The emails appear to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document which, if opened, attempts to download Emotet on their computer.

The January report also identified a malicious Lokibot sample – the 8th most popular malware this month – targeting Indonesia, with emails sent about how people in Indonesia can best protect themselves against the virus. Alongside the malicious Coronavirus spam campaigns, which we expect to become even more widely spread over the coming days, our research shows there has also been a surge in scam websites using Coronavirus in their domain names, allegedly selling vaccinations against the virus.

January also saw an increase in attempts to exploit the “MVPower DVR Remote Code Execution” vulnerability, impacting 45% of organizations globally. This rose from being 2nd most exploited vulnerability in December to the top position this month. The “Web Server Git Repository Information Disclosure” follows closely behind, with a global impact of 44%, rising from 3rd position to 2nd position this month.

Over the past four months, the top threats have remained the same versatile, multi-purpose malware families, including Emotet, XMRig, and Trickbot. Collectively, these top three malware types impact 30% of organizations globally. These attacks can be extremely damaging, leaving organizations vulnerable to data theft, extortion or operational disruption. Employees should be educated about the risks of opening, downloading or clicking on external documents that do not come from trusted sources or contact.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month the top three malware families remained as in the previous month – Emotet retains the 1st place impacting 13% of organizations globally, followed by XMRig and Trickbot impacting 10% and 7% of organizations worldwide respectively.

↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently has been used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. It can also spread through phishing spam emails containing malicious attachments or links.

↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

↔ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to a variety of software on victims’ machines (including Google Chrome, Mozilla Firefox and Microsoft Outlook).

↑ Formbook – Formbook is an infostealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.

↑ Vidar – Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and used as a malware dropper that downloads GandCrab ransomware as its secondary payload.

↓ Lokibot – Lokibot is an Infostealer distributed mainly by phishing emails, and is used to steal data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

↑ Hawkeye – Hawkeye is an infostealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In the past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware as a Service).

↔ xHelper – xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if uninstalled.

Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 45% of organizations globally, closely followed by “Web Server Exposed Git Repository Information Disclosure” with a global impact of 44%. In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 42% of organizations worldwide.

↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

↓ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.

↓ Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation allows attacker to execute arbitrary code on the target machine.

Top malware families – Mobile

This month xHelper retains its 1st place in the most prevalent mobile malware, followed by Guerilla and AndroidBauts.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user, and reinstalling itself if uninstalled.